I need to adjust the config so users on vlan 2 of both switches can be able to access Vlan 1 of switch 2 (10.1.0.0/24 to 10.6.0.0/24 should be open). Nothing seems to work. There is no firewall in the middle.

Lets start with the basics: Switch to switch links are typically tagged, with the links members of all vlans you want to pass over the link. Switch to device links are typically untagged with the ports PVID set to the desired VLAN. There is an exception to this guidance when a phone and computer are connected to the same switch port, but that doesn't apply here.

I'm not seeing your switch to switch link as being tagged for both vlans.

[Edit] Also be aware that venders swap terms for common functions trunking in particular. [/Edit]

I don't know HP switches but if these are L3 switches then you only define an IP address on one switch to use as a router. Right now it looks like you have two L3 routers defined. But I may be off on this.

George is correct. It appears like you have one switch with a tagged port and the other switch has no tagged ports. Flip the tagged switch on your HP 2900 for the port that is connected to your HP 4200.

Be careful with terms between vendors... Trunking in Cisco means to send all vlans down through one port (to trunk them to another switch)... HP trunking is very different... it means to combine ports together to make a redundant and larger connection between switches (what 3com used to call link aggregation).

Let me grab some lunch and I'll come back to you (unless someone else comes in and solves it for you before).

Your VLAN1 configurations are different on each switch. One has a different subnet of IP addresses then the other. You may want to try creating a third VLAN to give all your switches the same information to work off of.

10.5.0.0 should NOT have access to the 10.6.0.0 subnet. That's why I am not sure how the 3rd VLAN will help.

Remember the first guidance switch to switch links are tagged, these ports need to be members of all vlans you want to pass over the link. Your second switch is not tagged for vlan1 on port 48.

Once this is setup the first step is to connect a device on a port attached to vlan 1 on both switches. Then ensure you can ping the remote device. Do the same for vlan 2. Make sure your vlans are working correctly before you mess with routing.

Members of VLaN2 on both switches can see each other (Obviously they are in the same subnet and same VLAN)

However I cannot go from VLAN2 on either switch to VLAN1 of 2900 switch. No routes have been created

Ok so you established that the vlans are crossing the link without issue. Now only define a L3 router on one switch (probably the fastest switch).

With a statically defined test machine(s) (one on each vlan) ensure the default route points to the lan inteface of the L3 router. A ping between this will test if your router is passing traffic as it should. Use static stuff just to ensure you have the routes setup correctly. If you have an internet router in the mix, you may need to add a static route to this router so it knows how to find the newly created vlan's subnet.

We are down to a simple routing issue now. You have a router defined on both switches, remove one of them it is not needed. To do this remove the IP address statement and probaby the igmp one. Your L3 switch knows the routes but all other devices don't. You need to adjust your settings accordingly. On your new vlan your default route for all devices should point to 10.1.0.10 this will tell all clients on this network this is the way out of the 10.1.0.X subnet.

For the clients on the 10.6.0.x vlan they need to know how to find the 10.1.0.x folks. I assume their default route is already set to your internet gateway (you didn't provide enough info on your current design so I'm guessing here). For the vlan 1 people you can't change their default route since it will mess up their internet access. So in your internet router (or what ever router is your default for vlan 1) you will have to add a static route to 10.1.0.x via gateway 10.6.0.10.

With this in place the 10.1.0.x people know how to get out based on their default route and the 10.6.0.x people know how to reach the 10.1.0.x people because their default router knows how to contact them.

One way to do this would be to have routes setup allowing 2 way communications between the vlans.. Test communications. The create an ACL denying all commuincation to the other vlan. Then add an acl entty to allow all from the specific pc/server(s) that need to communicate with the other vlan. once you have that tested you can start to lock down the ACL to certain protocols. I would create a test environment for this if possible. like creating 2 additional vlans and assign them to unused ports if possible. adding these new subnets shouldn't affect your clients in any way and will allow you to build a config that works without disrupting the work in their areas.

FWIW you don't have any ports on the 4200 allocated to VLAN2. Now your link between the two are tagged, it may have been working because of the default PVID, but this is mixing rules. Keep it clean and consistent.. This is all you need for the switch and L3 router on the 29xx switch,. Where you place the router is not important. You only need just one router. The rest of the changes are external.

This is just simple IP routing here. For the devices connected to vlan 2 (10.1.0.X), they must have their default route set to 10.1.0.10. This will tell the clients how to leave the 10.1.0.X subnet. Once this default route is in place you should be able to ping both sides of the L3 router in the 29XX switch.

For clients on the 10.6.0.X subnet, I assume their default route is set to your internet router (again just guessing). Your internet router needs to have a static route created to send stuff destined to 10.1.0.X via 10.6.0.10. Once this route is in place from the 10.6.0.X subnet you should be able to ping any device on the 10.1.0.X subnet.

1. Tagging port 48 for vlan1: Not sure about this one. I do not want the nodes on this VLAN to see the 10.6.0.0 folks

No problem here, all tagging does is encapsulate a normal network packet inside a vlan packet. Just in case you ever plan on implementing vlan2 clients on the 4200 you are just sending the vlan 2 tagged packets over the wire. The 4200's port PVID commandsvlan 1
untagged 1-47
will keep them isolated onto vlan1.

GoodGuy2K wrote:

2. I see that you removed the routes from within the switch configurations. So those routes are not needed there?

The L3 router in the 29XX switch knows how to route between the networks, it is all of the other devices you need to tell (I'm not 100% positive how HP handles this, the cisco L3 routers don't need specific static routes). You can add the routes here, but they should not be necessary. The devices on vlan2 needs to know how to get off vlan2 and the devices on vlan1 need to know how to find vlan2.